Presentation on theme: "IT Service Delivery And Support Week Ten"— Presentation transcript:
1IT Service Delivery And Support Week Ten IT Auditing and Cyber SecuritySpring 2014Instructor: Liang Yao (MBA MS CIA CISA CISSP)
2IT Service Delivery and Support Information SecurityRecent Security IncidentsSecurity ObjectivesSecurity ProcessGovernanceInformation Security Risk AssessmentInformation Security StrategySecurity Controls ImplementationSecurity Monitoring
3IT Service Delivery and Support Top Security Incidents# 10. Wyndham Hotels –credit card information were stored in plain textData was stolen THREE times in two yearsOver 600,000 credit card numbers fell into the wrong hands$10.5 billion in fraudulent transactions was reportedGaining attention from the Federal Trade Commission# 9. YahooMore than 400,000 plaintext Yahoo passwords were posted on the Internet on July 11ththe "Tech-Company-Shoulda-Known-Better" factorSQL Injection
4IT Service Delivery and Support #8. AppleA million Apple Unique Identifiers (UDIDs) were released by “AntiSec”The group claims to have 11 million more UDIDsLeveraged a Java vulnerability to access authentication related informationTo embarrass FBI, which was in the midst of investigating the hacktivist group Anonymous.# 7. Global PaymentsTheft of about 1.5 million credit cardsInclude Track 2 data – can be used to clone credit cardsnames, addresses and social security numbers were apparently not breachedImpact merchants and consumers
5IT Service Delivery and Support # 6. Ghostshell1.6 million government and contract accounts were posted to Pastebin records by “Team Ghostshell”Involving aerospace, the defense industry, financial services and law enforcementStolen data included names, addresses, passwords, phone numbers and various forms of administrator account information.“ProjectWhiteFox”- intended to attract support for freedom of information on the Internet.# 5. LinkedIn6.5 million Linkedin passwords (compromised of “unsalted SHA-1 hashes)Passwords were published in various places on the WebTeam effort to crack the passwords
6IT Service Delivery and Support 4. Nationwide Insurance, Allied Insurance CompaniesPII information breach million customers and applicantsincluding names, Social Security numbers, driver's license numbers, date of birth and possibly marital status, gender, occupation and employment informationNo Medical information and credit card numbersHigh value of the information3. South CarolinaApproximately 3.8 million tax records and nearly 400,000 credit card numbers were stolen from the South Carolina Department of Revenue.Over 2 million incidents of information theft were also nabbed through the same spearphishing exploit that stole employee usernames and passwords to gain access to the sensitive data.Improper password policies and failure to encrypt social security numbers were key enablers of the operationIt's believed to be the largest data theft from a state government.
7IT Service Delivery and Support #2. ZapposPersonal details on 24 million people were hacked and stolenInformation lncluding names, home addresses, addresses, phone numbers, the last four digits of credit card numbers, and passwordsThe company stepped up with a highly proactive response that involved new passwords and increased numbers of call center folks to help victims navigate the situation.1. The Biggest Breach Of 2012: The Government SectorGovernment sector, which, according to Boston-based security vendor Rapid7, has reported 268 individual data breaches over a period of roughly three years.In all, governments reportedly exposed more than 94 million records containing personally identifiable information.The data reveals that the number of breaches has continued to escalate each year since And, it's expected that the likely tally for 2012 will actually double the number from 2011.In addition to hacking incidents, the numbers include unintended disclosure, the loss or theft of portable devices and physical loss of devices.
8Security ObjectivesAvailability-The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to information or systems.Integrity of Data or Systems-System and data integrity relate to the processes, policies, and controls used to ensure information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy, completeness, and reliability.* Underlying Models for IT Security, NIST, SP800-33, p. 2
9Security Objectives (Cont.) Confidentiality of Data or Systems-Confidentiality covers the processes, policies, and controls employed to protect information of customers and the institution against unauthorized access or use.Accountability-Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability directly supports nonrepudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records.Assurance-Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.
10Information Security Processes Information Security Risk Assessment-A process to identify and assess threats, vulnerabilities, attacks, probabilities of occurrence, and outcomes.Information Security Strategy-A plan to mitigate risk that integrates technology, policies, procedures, and training. The plan should be reviewed and approved by the board of directors.Security Controls Implementation-The acquisition and operation of technology, the specific assignment of duties and responsibilities to managers and staff, the deployment of risk-appropriate controls, and the assurance that management and staff understand their responsibilities and have the knowledge, skills, and motivation necessary to fulfill their duties.
11Information Security Processes (Cont.) Security Monitoring-The use of various methodologies to gain assurance that risks are appropriately assessed and mitigated. These methodologies should verify that significant controls are effective and performing as intended.Security Process Monitoring and Updating-The process of continuously gathering and analyzing information regarding new threats and vulnerabilities, actual attacks on the institution or others combined with the effectiveness of the existing security controls. This information is used to update the risk assessment, strategy, and controls. Monitoring and updating makes the process continuous instead of a onetime event.Security risk variables include threats, vulnerabilities, attack techniques, the expected frequency of attacks, financial institution operations and technology, and the financial institution's defensive posture. All of these variables change constantly. Therefore, an institution's management of the risks requires an ongoing process.
12Governance Management Structure “Information security is a significant business risk that demand engagement of the Board of Directors and senior business management. It is the responsibility of everyone who has the opportunity to control or report the institution's data. Information security should be supported throughout the institution, including the board of directors, senior management, information security officers, employees, auditors, service providers, and contractors. Each role has different responsibilities for information security and each individual should be accountable for his or her actions. Accountability requires clear lines of reporting, clear communication of expectations, and the delegation and judicious use of appropriate authority to bring about appropriate compliance with the institution's policies, standards, and procedures.” FFIEC IT Examination Handbook
13Governance Responsibility and Accountability Board Executive ManagementStaff and Line-of-Business ManagersInternal Auditors
14Governance (Cont.) Board Central oversight and coordination, Assignment of responsibility,Risk assessment and measurement,Monitoring and testing,Reporting, andAcceptable residual risk.
15Governance (Cont.) Senior Management (security) Clearly support all aspects of the information security program;Implement the information security program as approved by the board of directors; Establish appropriate policies, procedures, and controls; Participate in assessing the effect of security issues on the financial institution and its business lines and processes;Delineate clear lines of responsibility and accountability for information security risk management decisions;Define risk measurement definitions and criteria;Establish acceptable levels of information security risks; andOversee risk mitigation activities.
16Governance (Cont.) Senior Management (Integrity) Ensure the security process is governed by organizational policies and practices that are consistently applied,Require that data with similar criticality and sensitivity characteristics be protected consistently regardless of where in the organization it resides,Enforce compliance with the security program in a balanced and consistent manner across the organization,Coordinate information security with physical security, andEnsure an effective information security awareness program has been implemented Information Security Booklet throughout the organization.
17Governance (Cont.) Staff & Line Managers Internal Auditors Contribute to design and implementation of IT activitiesReview and monitor security controlsDefine security requirementsInternal AuditorsAssess information control environments, including understanding, adoption and effectivenessValidate IS efforts and compare current practices to industry standardsRecommend improvement
18Information Security Risk Assessment Key StepsGather Necessary InformationIdentification of Information and Information SystemsAnalyze the InformationClassify and Rank Sensitive Data, Systems, and ApplicationsAssess Threats and VulnerabilitiesEvaluate Control EffectivenessAssign Risk Ratings
19Information Security Risk Assessment Key Risk Assessment PracticesMultidisciplinary and Knowledge Based ApproachSystematic and Central ControlIntegrated ProcessAccountable ActivitiesDocumentationEnhanced KnowledgeRegular Updates
20Information Security Strategy Architecture ConsiderationsControl Objectives for Information and Related Technology (CobiT) - provides a broad and deep framework for controls.IT Infrastructure Library (ITIL) - provides a list of recognized practices for IT service management.ISO provides a library of possible controls that can be included in an architecture and guidance in control selection.BITS (Bank Information Technology Secretariat) and other industry publications for discrete controls, such as vendor management.
21Information Security Strategy IS Policies and ProceduresImplementing through ordinary means, such as system administration procedures and acceptable-use policies;Enforcing policy through security tools and sanctions;Delineating the areas of responsibility for users, administrators, and managers;Communicating in a clear, understandable manner to all concerned;Obtaining employee certification that they have read and understood the policy;Providing flexibility to address changes in the environment; andConducting annually a review and approval by the board of directors.
23Security Controls Implementation Access ControlAccess Rights AdministrationAuthenticationShared Secret SystemsToken SystemsPublic Key InfrastructureEncryptionBiometricsAuthenticator ReissuanceBehavioral AuthenticationDevice AuthenticationMutual AuthenticationAuthentication for Single Sign-On Protocols
24Security Controls Implementation Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls:Dictionary and brute forceWarehouse attacks, (compromise an entire authentication mechanism)Social engineering,Client attacks (password, PKI key, etc),Replay attacks,Man-in-the-middle attacks, andHijacking.
25Security Controls Implementation Network AccessLayers of Access ControlGroup network servers, applications, data, and users into security domains (e.g., untrusted external networks, external service providers, or various internal user systems);Establish appropriate access requirements within and between each security domain;Implement appropriate technological controls to meet those access requirements consistently; andMonitor cross-domain access for security policy violations and anomalous activity.
26Security Controls Implementation Network AccessNetwork configuration considerationsIdentifying the various applications and systems accessed via the network,Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial-up access, extranets, Internet),Mapping the internal and external connectivity between various network segments,Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy), andDetermining the most appropriate network configuration to ensure adequate security and performance.
27Security Controls Implementation Firewalls - (**NIST Special Publication , "Guidelines on Firewalls and Firewall Policy." is a collection of components (computers, routers, and software) that mediate access between different security domains.)Types of FirewallsPacket Filter FirewallsStateful FirewallsApplication Firewalls
28Security Controls Implementation Packet Filter FirewallsWeaknesses associated with packet filtering firewalls include the following:The system is unable to prevent attacks that exploit application-specific vulnerabilities and functions because the packet filter does not examine packet contents.Logging functionality is limited to the same information used to make access control decisions.Most do not support advanced user authentication schemes.Firewalls are generally vulnerable to attacks and exploitation that take advantage of vulnerabilities in network protocols.The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.
29Security Controls Implementation Stateful Firewall: is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known active connection will be allowed by the firewall; others will be rejected.
30Security Controls implementation Application-Level FirewallsThe primary disadvantages of application-level firewalls are as follows:The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application-level firewall and passed through different access controls.Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications andprotocols to go through the firewall.
31Security Controls Implementation Firewall PolicyFirewall topology and architecture,Type of firewall(s) being utilized,Physical placement of the firewall components,Monitoring firewall traffic,Permissible traffic (generally based on the premise that all traffic not expressly allowed is denied, detailing which applications can traverse the firewall and under what exact circumstances such activities can take place),Firewall updating,Coordination with security monitoring and intrusion response mechanisms,Responsibility for monitoring and enforcing the firewall policy, Protocols and applications permitted,Regular auditing of a firewall's configuration and testing of the firewall's effectiveness, andContingency planning.
32Security Controls Implementation Firewall VulnerabilitySpoofing trusted IP addresses,Denial of service by overloading the firewall with excessive requests or malformed packets,Sniffing of data that is being transmitted outside the network,Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules,Attacks on unpatched vulnerabilities in the firewall hardware or software,Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers, andAttacks against computers and communications used for remote administration.
33Security Controls Implementation Firewall Access Control Best Practices:Hardening the firewall by removing all unnecessary services and appropriately patching, enhancing, and maintaining all software on the firewall unitRestricting network mapping capabilities through the firewall, primarily by blocking inbound ICMP (Internet Control Messaging Protocol) traffic;Using a ruleset that disallows all inbound and outbound traffic that is not specifically allowed;Using NAT and split DNS to hide internal system names and addresses from external networks (split DNS uses two domain name servers, one to communicate
34Security Controls Implementation Firewall Access Control Best Practices:Using proxy connections for outbound HTTP connections;Filtering malicious code;Backing up firewalls to internal media and not backing up the firewall to servers on protected networks;Logging activity, with daily administrator reviewUsing security monitoring devices and practices to monitor actions on the firewall and to monitor communications allowed through the firewallAdministering the firewall using encrypted communications and strong authentication, accessing the firewall only from secure devices, and monitoring all administrative access;Limiting administrative access to few individuals; andMaking changes only through well-administered change control procedures.
35Security Controls Implementation Other Network Access Related Concerns:Malicious Code FilteringOutbound FilteringNetwork Intrusion Prevention SystemsQuarantineDNS Placement
36Security Controls Implementation Wireless IssuesTreating wireless networks as untrusted networks, allowing access through protective devices similar to those used to shield the internal network from the Internet environment;Using end-to-end encryption in addition to the encryption provided by the wireless connection;Using strong authentication and configuration controls at the access point and on all clients;Using an application server and dumb terminals;Shielding the area in which the wireless LAN operates to protect against stray emissions and signal interference; andMonitoring and responding to unauthorized wireless access points and clients.
37Security Controls Implementation Remote AccessDisallow remote access by policy and practice unless a compelling business justification exists.Require management approval for remote access.Regularly review remote access approvals and rescind those that no longer have a compelling business justification.Appropriately configure remote access devices.Appropriately secure remote access devices against malware (see "Malicious Code Prevention").
38Security Controls Implementation Remote AccessAppropriately and in a timely manner patch, update, and maintain all software on remote access devices.Use encryption to protect communications between the access device and the institution and to protect sensitive data residing on the access device.Periodically audit the access device configurations and patch levels.Use VLANs, network segments, directories, and other techniques to restrict remote access to authorized network areas and applications within the institution.
39Security Controls Implementation Remote AccessImplement controls consistent with the sensitivity of remote use. For example, remote use to administer sensitive systems or databases may include the following controls:Restrict the use of the access device by policy and configuration;Require two-factor user authentication;Require authentication of the access device;Ascertain the trustworthiness of the access device before granting access;Log and review all activities (e.g. keystrokes).
40Security Controls Implementation Remote AccessIf remote access is through modems:Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific and authorized external requests, and disable the modem immediately when the requested purpose is completed.Configure modems not to answer inbound calls, if modems are for outbound use only.Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls
41Security Controls Implementation Remote AccessLog remote access communications, analyze them in a timely manner, and follow up on anomalies.Centralize modem and Internet access to provide a consistent authentication process, and to subject the inbound and outbound network traffic to appropriate perimeter protections and network monitoring.Log and monitor the date, time, user, user location, duration, and purpose for all remote access.Require a two-factor authentication process for remote access (e.g., PIN-based token card with a one-time random password generator, or token-based PKI).
43Architecture Issues Security Monitoring Network traffic policies that address the allowed communications betweencomputers or groups of computers,Security domains that implement the policies,Sensor placement to identify policy violations and anomalous traffic,The nature and extent of logging,Log storage and protection, andAbility to implement additional sensors on an ad hoc basis.